Setting Up Secure Connections Between Two MikroTik Routers Using WireGuard

By /

WireGuard is a fast, modern, and secure VPN solution, making it an excellent choice for connecting two MikroTik routers, even on lower-power devices like hAP Lite. In this blog post, we’ll guide you through the process of configuring two MikroTik routers using WireGuard to create a secure connection between your home site and a remote site.

Pre-Requisites

  1. MikroTik routers with RouterOS 7.x or later (WireGuard is only available in RouterOS v7+).
  2. Ensure both devices (local and remote) are reset to factory settings or have no conflicting configurations.
  3. Access to both routers’ WinBox or WebFig for configuration.
  4. Basic knowledge of CIDR addressing and routing.

Step 1: Enable WireGuard on Both Routers

Router 1: Home Site

  1. Open WinBox or WebFig and connect to the home router.
  2. Navigate to Interfaces > WireGuard.
  3. Click the “+” button to add a new WireGuard interface:
    • Name: wg-home
    • Listen Port: 51820 (default WireGuard port; ensure it’s open on your firewall/router).
  4. Copy the Public Key (you’ll use this on the remote router later).
  5. Add an IP address to the WireGuard interface:
    • Go to IP > Addresses, click “+”, and assign an IP: Address: 192.168.100.1/24 Interface: wg-home

Router 2: Remote Site

Repeat the above steps for the remote router with the following differences:

  • Interface Name: wg-remote
  • Listen Port: Use a different port if required (e.g., 51821), but 51820 is acceptable.
  • IP Address: Assign 192.168.100.2/24 to wg-remote.

Step 2: Add WireGuard Peers

Router 1 (Home Site):

  1. Go to Interfaces > WireGuard > Peers and click “+”.
  2. Configure the peer:
    • Public Key: Enter the remote router’s public key (from wg-remote).
    • Allowed Address: 192.168.100.2/32 (the remote WireGuard IP).
    • Endpoint Address: Enter the WAN IP of the remote router (e.g., 203.0.113.2).
    • Endpoint Port: Enter the remote router’s WireGuard port (e.g., 51820).

Router 2 (Remote Site):

  1. Go to Interfaces > WireGuard > Peers and click “+”.
  2. Configure the peer:
    • Public Key: Enter the home router’s public key (from wg-home).
    • Allowed Address: 192.168.100.1/32.
    • Endpoint Address: Enter the WAN IP of the home router (e.g., 203.0.113.1).
    • Endpoint Port: Enter the home router’s WireGuard port (e.g., 51820).

Step 3: Configure Firewall Rules

  1. Go to IP > Firewall > Filter Rules and add the following rules:
    • Allow WireGuard traffic (UDP):
      • Chain: input
      • Protocol: udp
      • Dst Port: 51820 (or the configured WireGuard port).
      • Action: accept
    • Allow WireGuard IPs:
      • Chain: input
      • Src Address: 192.168.100.0/24
      • Action: accept.
  2. Move these rules above any drop/reject rules.

Step 4: Configure Routing

  1. Route Traffic Through WireGuard:
    • Go to IP > Routes.
    • Add a route to the remote network:
      • Destination Address: 192.168.2.0/24 (remote LAN).
      • Gateway: 192.168.100.2 (remote WireGuard IP).
  2. On the Remote Router, add a similar route:
    • Destination Address: 192.168.1.0/24 (home LAN).
    • Gateway: 192.168.100.1 (home WireGuard IP).

Step 5: Test the Connection

  1. Ping the remote router from the home router to ensure the WireGuard tunnel is up:
    • From Router 1: Ping 192.168.100.2.
    • From Router 2: Ping 192.168.100.1.
  2. Verify that devices on the home LAN (192.168.1.0/24) can access devices on the remote LAN (192.168.2.0/24), and vice versa.

Step 6: Optimize for Performance

  • MSS Clamping: Add an MSS (Maximum Segment Size) rule to prevent fragmentation:
    • Go to IP > Firewall > Mangle and add a new rule:
      • Chain: forward
      • Out Interface: wg-home or wg-remote
      • Action: change-mss
      • New MSS: 1380.
  • Use Fasttrack: Ensure fasttrack is enabled for optimal performance.
  • Monitor Resources: hAP Lite is a low-power device, so monitor CPU usage during heavy VPN traffic.

Step 7: Secure the Configuration

  1. Use strong keys for WireGuard (minimum 256-bit).
  2. Restrict Allowed Addresses for each peer to only the necessary subnets.
  3. Keep RouterOS updated for the latest security patches.

Conclusion

You’ve successfully configured two MikroTik hAP Lite routers using WireGuard for secure connections between your home site and a remote site. This setup ensures a fast, modern, and secure VPN connection. Test your configuration thoroughly and fine-tune it for performance and reliability.

Related Posts

Scroll to Top